Ken, you are correct (see below). And in fact, if the page came from the
right source (as validated by SSL and a secure browser extension such as
TrustBar), I don't think there is any need to validate the source (which
is impractical even for the geekest geek). After all, if a site is so
clueless as to send you corrupted scripts, it may as well publish your
password directly...
Best, Amir Herzberg
Ken Ballou wrote:
> Unless I misunderstand, the problem is that I can not determine where my
login information will go without examining the source of the login
page. Sure, the form might be posted to a server using https. But,
without examining the source of the login page, I won't be able to look
at the certificate for the site to which my credentials have been sent
until it's too late.
It's still the case that if I retrieve the original login form via
https, I have to examine the page source to see to which server the form
will be posted. But I can examine the certificate of the site from
which I got the form originally to determine whether this is a phishing
attack. If the login form itself can be shown to have come from an AmEx
server, I'm probably more comfortable trusting that my credentials are
going to the right server.
Do I completely misunderstand?
- Ken
.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
